GAO: CMS Must Improve Medicare, Medicaid Anti-Fraud Efforts

The Department of Health and Human Services has taken important steps to fight Medicare and Medicaid fraud, but it can further strengthen its efforts in several ways, according to a new government watchdog agency report.

The Government Accountability Office estimates that in fiscal 2016, improper Medicare and Medicaid payments totaled about $95 billion.

The GAO review of HHS' Centers for Medicare and Medicaid Services' anti-fraud efforts notes that CMS needs to more fully align those efforts with GAO's Framework for Managing Fraud Risks in Federal Programs. That framework outlines best practices for four phases: commit; assess; design and implement; and evaluate and adapt.

Sizing Up CMS' Efforts

"CMS has shown commitment to combating fraud in part by establishing a dedicated entity - the Center for Program Integrity - to lead anti-fraud efforts. Furthermore, CMS is offering and requiring anti-fraud training for stakeholder groups, such as providers, beneficiaries, and health insurance plans," GAO writes.

But, the GAO notes: "CMS does not require fraud-awareness training on a regular basis for employees, a practice that the framework identifies as a way agencies can help create a culture of integrity and compliance."

Regarding the assess, design and implement components, CMS has taken steps to identify fraud risks, such as by designating specific provider types as high risk and developing associated control activities, the watchdog agency writes.

"However, CMS has not conducted a fraud risk assessment for Medicare or Medicaid, and has not designed and implemented a risk-based anti-fraud strategy. A fraud risk assessment allows managers to fully consider fraud risks to their programs, analyze their likelihood and impact, and prioritize risks."

Managers can then design and implement a strategy with specific control activities to mitigate these fraud risks, as well as an appropriate evaluation approach consistent with the evaluate and adapt component, GAO writes. "By developing a fraud risk assessment and using that assessment to create an anti-fraud strategy and evaluation approach, CMS could better ensure that it is addressing the full portfolio of risks and strategically targeting the most significant fraud risks facing Medicare and Medicaid."

Major Fraud Risks

CMS programs provide healthcare coverage for 145 million individuals, with annual outlays of about $1.1 trillion, GAO says. Medicare and Medicaid provides coverage for 129 million individuals, "but the size - in terms of number of beneficiaries and amount of expenditures - as well as complexity of these programs make them inherently susceptible to fraud and improper payments."

The report notes: "CMS currently manages these risks across its programs as part of a broader approach to identifying and controlling for multiple sources of improper payments and by developing relationships with an extensive network of stakeholders. In Medicare and Medicaid specifically, we note that CMS has taken many important steps toward implementing a strategic approach for managing fraud. However, the agency could benefit by more fully aligning its efforts with the four components of the Fraud Risk Framework."

Data Analytics

GAO also notes that as part of CMS's anti-fraud efforts, the agency has implemented data analytics as called for under [the] Small Business Act of 2010, which required it to implement predictive-analytics technologies.

In 2011, CMS implemented a data-analytic system, called the Fraud Prevention System, that screens all Medicare fee-for-service claims to identify healthcare providers with suspect billing patterns for further investigation, GAO writes. Medicare contractors have used the data analytics system to identify and prioritize leads for investigations of potential fraud by high-risk Medicare fee-for-service providers, GAO says.

"Contractors told us that [the Fraud Prevention System] allows them to quickly identify and triage leads. CMS's guidance requires contractors to prioritize investigations with the greatest program impact or urgency and identify required criteria for prioritizing investigations, such as patient abuse or harm, multistate fraud, and high dollar amount of potential overpayments."

GAO Recommendations

GAO recommends CMS ramp up its anti-fraud efforts by implementing three key recommendations:

Provide fraud-awareness training relevant to risks facing CMS programs and require new hires to undergo such training and all employees to undergo training on a recurring basis;

Conduct fraud risk assessments for Medicare and Medicaid, including fraud risk profiles and plans for regularly updating the assessments and profiles;

Create, document, implement and communicate an anti-fraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation.

GAO notes that HHS agreed to the three recommendations and described how it plans to address the issues spelled out in the report.

For instance, regarding GAO's recommendation to conduct fraud risk assessments for Medicare and Medicaid, HHS stated that it's conducting a fraud risk assessment on the Affordable Care Act federally facilitated marketplaces and, when this assessment is completed, will apply the lessons learned in assessing this program to fraud risk assessments of Medicare and Medicaid.

Complex Issues

Fighting healthcare fraud clearly is a complex issue that requires a multifaceted approach.

"Medicaid reimbursements are notoriously low. Crooks use this as motivation to 'game' the system," says Kerry McConnell, partner and principal consultant at tw-Security, who has previously worked in Medicaid claims processing. "Crooks get greedy and then they get flagged, caught. More training to identify fraud can't hurt, but technical tools are more effective."

Some security experts say private health insurers also might benefit from implementing some of the anti-fraud practices recommended by the GAO, although not all of those might prove effective.

For instance, fraud awareness training is "very important, but not something an organization can or should rely on," says Mac McMillan, CEO of security consultancy CynergisTek. "Environmental awareness is not something users are particularly skilled at. And even when they do see something that doesn't fit the profile, they often fail to report it, because they don't want to get someone in trouble or be perceived as a busy body. It's just not reliable.

For private sector healthcare organizations, "conducting risk assessments for fraud is only going to tell you perhaps where you are most at risk, but it's not going to directly reduce fraud," McMillan contends. "The new user and entity behavior analytics tools for behavioral analysis are uniquely suited to identify and alert on fraud activities and abnormal behavior by users. Organizations need to implement these advance analytics and alert tools. Compliance- based monitors are not going to help stem this problem."

Value of Data Analytics Oversold?

But not everyone is sold on the benefits of data analytics and other technology in battling healthcare fraud.

"Anti-fraud technology has been - for at least two decades - some kind of unicorn," claims privacy attorney Kirk Nahra of law firm Wiley Rein. "We all want to believe in it, and it seems beautiful, but it really hasn't made too much of a difference. That doesn't in any way mean that we shouldn't keep trying to find better ways to use technology in these efforts, but it is just really hard."

When it comes to healthcare provider organizations that can potentially become unwitting participants or victims of fraud committed by a rogue employee, training, technology and other such efforts only go so far, Nahra says.

"Most healthcare fraud is perpetrated through higher-level decisions, which can range from confusion about the rules, to aggressive billing to true [intentional] fraud," he says. "It is very hard to draw these lines in some situations, particularly in advance of processing the claims. Patterns are particularly important, which is why 'after the fact' technology has been more effective in identifying [billing] fraud than 'pre-pay' [claims analysis] technology."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;